Data Processing Agreement

This Data Processing Agreement (“DPA”) constitutes a legal agreement between you or the entity or company you represent (“Customer”) and Bedrock Data (“Supplier”) with respect to the terms governing the Processing of Personal Data under the Bedrock Data End User Subscription Agreement (the “Agreement”) and this DPA herein. This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement. Incorporation may be specified in the Agreement, an Order, or as an executed amendment to the Agreement.

Any terms not explicitly defined in this DPA have the meaning set forth in the Agreement.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data, as set forth in the General Data Protection Regulation.

“Customer Data” means what is defined in the Agreement as “Customer Data”.

“Data Protection Law” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the individual for whom data processing relates.

“GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Party” & “Parties” means Bedrock Data and the Customer separately, or jointly, as the case may be.

“Personal Data” means any information relating to an identified or identifiable natural person, see article 4(1) of the GDPR, where such information is contained within the Customer Data and is protected similarly as personally identifiable information under applicable Data Protection Law.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as set forth in the General Data Protection Regulation.

2. Details of Processing

2.1 Roles of the Parties.

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Bedrock Data is the Processor and that Bedrock Data will engage Sub-processors pursuant to the requirements set forth in section 4.6 below.

2.2 Purpose of Processing.

Personal Data will be Processed for purposes of providing the Services set out and otherwise agreed upon in the Agreement and Service Order. For the avoidance of doubt, this means synchronizing Controllers data to make it consistent across cloud based applications and/or providing a version of said data placed into a database repository such that is may be interrogated and used by Controller for valid business purposes.

Contact information the likes of which are determined by the Controller at their own discretion. Common information includes name, email, company, and job title. Additional information such as website navigational and usage information, possibly including IP address, marketing activity, application usage information, or any other electronic data received during the usage of the Subscription Service.

2.5. Duration of Processing.

The parties agree that on the termination of the provision of data-processing services, the data Processor and any sub-processors shall, at the choice of the Controller, return all the Personal Data transferred and the copies thereof to the Controller or shall destroy all the Personal Data and certify to the Controller that it has done so, unless legislation imposed upon Processor prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Processor warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.

3. Controller's Obligations

3.1 Controller’s Personal Data.

Controller’s instructions for Processing of Personal Data shall comply with the Data Protection Law. Controller will ensure that any Personal Data added by Controller or Controller’s customers will not violate any Data Protection Law. If Controller finds out it is exporting data to the Processor in violation of the Data Protection Law, it will immediately notify the Processor.

3.2 Special Categories of Personal Data.

If the transfer involves special categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC.

3.3 Sub-processors.

In the event the Controller has employed sub-processors, the sub-processing is carried out in accordance with the applicable Data Protection Law and with at least the same level of protection for the Processing of Personal Data as the Processor under this DPA.

4. Processor's Obligations

4.1 Instructions.

Bedrock Data is instructed to process Personal Data only for the purposes of providing the data Processing services set out within the scope of the Controller. The Processor will not process or use the Controller’s Personal Data for any other purpose than provided in the instructions and set out in the Agreement, including the transfer of Personal Data to any third country or an international organization, unless the Processor is required to do so according to Union or member state law. In that case, the Processor shall inform the Controller in writing of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

If the Controller in the instructions or otherwise in writing has given permission to a transfer of Personal Data to a third country or to international organizations, the Processor must ensure that there is a legal basis for the transfer of Personal Data to third countries.

If the Processor considers an instruction from the Controller to be in violation of the GDPR, the Processor shall immediately inform the Controller in writing about this.

4.2 Confidentiality.

The Processor shall keep Personal Data confidential. The Processor must ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

The Processor shall not disclose the Personal Data to third parties or take copies of Personal Data unless strictly necessary for the performance of the Processor’s obligations towards the Controller according to the DPA, and on condition that whoever Personal Data is disclosed to is familiar with the confidential nature of the data and has accepted to keep the Personal Data confidential in accordance with this DPA.

4.3 Security.

In accordance with Bedrock Data’s Privacy Policy and Security and Technology Policy, Bedrock Data will maintain appropriate organizational and technical security measures -- including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Customer Personal Data while in transit and at rest -- to prevent that the Personal Data processed is (i) accidentally or unlawfully destroyed, lost, or altered, (ii) disclosed or made available without authorization, or (iii) otherwise processed in violation of Data Protection Law.

Bedrock Data will be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Bedrock Data personnel with respect to Customer Personal Data and liable for any failure by such Bedrock Data personnel to meet the terms of this DPA.

4.4 Data Breach.

The Processor must without undue delay after becoming aware of the facts in writing notify the Controller about: (i) any request for disclosure of Personal Data processed under the Agreement by authorities, unless expressly prohibited under Union or member state law, (ii) any suspicion or finding of breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Processor under the Agreement, (iii) any request for access to the Personal Data received directly from the Data Subjects or from third parties.

4.5 Data Subject Requests.

Processor will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Processor, Processor will promptly inform Controller and will advise Data Subjects to submit their request to the Controller. Controller shall be solely responsible for responding to any Data Subjects’ requests. Controller shall reimburse Processor for the costs arising from this assistance.

4.6 Sub-processors.

Processor shall be entitled to engage sub-processors to fulfil Processor’s obligations defined in the Agreement only with Controller’s written consent. For these purposes, Controller consents to the engagement as sub-processors of Processor’s affiliated companies and the third parties listed in Exhibit A. For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the sub-processing by Processor for purposes of Clause 11 of the GDPR Standard Contractual Clauses.

If the Processor intends to instruct sub-processors other than the companies listed in Exhibit A, the Processor will notify the Controller thereof in writing and will give the Controller the opportunity to object to the engagement of the new sub-processors within 30 days after being notified. The objection must be based on reasonable grounds (e.g. if the Controller proves that significant risks for the protection of its Personal Data exist at the sub-processor). If the Processor and Controller are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. Controller shall receive a refund of any prepaid but unused fees for the period following the effective date of termination.

Where Processor engages sub-processors, the sub-processing is carried out in accordance with the applicable Data Protection Law and with at least the same level of protection for the Processing of Personal Data as the Processor under this DPA.

4.7 Data Transfers.

Controller acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Personal Data will be transferred to Bedrock Data, Inc. in the United States. Bedrock Data, Inc. has certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework as administered by the U.S. Department of Commerce regarding the collection, use, disclosure, transfer, security, and retention of Personal Data from the European Union to the United States.

5. Audits

Upon written consent and within a reasonable time period, in order to ensure the Processor complies with this DPA, the Controller has the right from time-to-time to (i) request information from the Processor (ii) appoint an independent third-party consultant (iii) conduct an onsite inspection.

In the event of the above Processor shall provide Controller with all information necessary for such audit, provided such information is within Processor’s control and Processor is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

Furthermore, Controller agrees any audit will not disrupt normal business operations and any individual – whether employed by the Controller or an independent third-party consultant – is of the required professional qualifications and bound by a duty of confidentiality.

6. Term and Termination

Term and Termination is inherited from the Agreement. Under the circumstances the Controller or the Processor has proven unable to uphold their obligations under this DPA, the DPA and the Agreement may be terminated immediately, provided reasonable written proof is presented to the parties.

7. General Provisions

This DPA is an amendment to and forms part of the Agreement. Upon the incorporation of this DPA into the Agreement, Controller and the Bedrock Data entity that are each a party to the Agreement are also each a party to this DPA.

The legal entity agreeing to this DPA as Controller, represents that it is authorized to agree to and enter into this DPA for, and is agreeing to this DPA solely on behalf of, the Controller.

In case of any conflict, this DPA shall take precedence over the regulations of the Agreement. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be impacted.

Effective 25 May 2018, Bedrock Data will process Personal Data in accordance with the GDPR requirements contained herein which are directly applicable to Bedrock Data’s provision of the Subscription Services.